Date: 5 December 2005
Updated: 14March 2007
Store hotfix 6.5.7233.54 corrects a "security hole" that allows a delegate user to send e-mail messages from the other users mailbox as the mailbox owner even though the delegate does not have Send As rights. The GoodLink Server will continuously pause all users when attempting to send inbound messages from the mobile device on MAPI_E_NO_ACCESS -2147024891 until this new Send As right is set for the GoodAdmin account.
Failed to submit
mail message for user johndoe. (HRESULT:-2147024891) Pausing user johndoe. (Security
error - Cannot access the users mailbox.)
If the store hot-fix is removed, message flow resumes on GoodLink. Please see KB: http://support.microsoft.com/default.aspx?scid=kb;en-us;895949
Cause: Microsoft discovered that a small part of the code in a series of their store.exe hot-fixes from ver. .51-.54 breaks our Good environment. The hot-fix affects the schema of the "Send As" permission set in Exchange System Manager (ESM) at the Org level. The hot-fix, which addresses security holes, changes the "Send As" permissions requirement to be set from Active Directory and not from ESM Security tab.
Remedy: Give the GoodAdmin Service Account "Send As" permissions in Active Directory Users and Computers (ADUC):
The following steps apply the Send As permission to the GoodAdmin account for a domain. This permission must be applied to the GoodAdmin account for each domain containing GoodLink users. For example, in a forest with two child domains, A and B, this permission needs to be set for the GoodAdmin account for both domain A and domain B. If there are restrictions that do not allow the permissions to propagate from a domain to each organizational unit (this is common in hosted environments) then permissions need to be applied for each OU as well. Note that if you set this permission at the forest root domain level, it will not propagate to the child domains. You must repeat the following steps to assign the permission to the GoodAdmin account for each domain and/or OU.
Perform the following steps to give the GoodAdmin account "Send As" permissions in Active Directory Users and Computers (ADUC):
1) Launch ADUC. (Start > Administrative Tools > Active Directory Users and Computers)
2) Enable the advanced features view so that you will be able to see the security tab. (Select menu - View > Advanced Features)
3) Highlight your domain, right click on it and click on "properties".
4) Click the "Security" tab and then click "Add".
5) Enter the name of your GoodAdmin Service Account and click OK.
6) Now highlight your GoodAdmin Service Account and press the "Advanced" button.
7) In the Advanced Security Settings window click "Add"
8) Enter the name of your GoodAdmin Service Account and click OK.
9) Now a new "permissions entry" window will pop up. You need to select "User Objects" in the "Apply onto" drop down box. (Its down toward the bottom of the list).
10) Click the allow check box for the "Send As" right and select OK. Note: make sure that deny is not checked for this right.
11) Click OK to close the Advanced Security Settings window. The new entry for the GoodAdmin Service Account will show up in the permission entry list.
12) Click OK to close the properties window. The GoodAdmin Service Account should show Special Permissions set to allow.
The "Send As" permission has now been set. Please note that it may take up to 90 minutes for the Exchange Information Store to update its permissions cache and for the GoodLink server to un-pause and reconnect to the user's mailbox. Exchange replication alone can take approximate 70 minutes; therefore, to un-pause users immediately you may restart the GoodLink Server service after 70 minutes.
Troubleshooting - Please utilize the following articles:
If some or all
users remain paused after the allotted replication time please review:
17773: Users are still paused after applying the GoodAdmin service account "Send As" right for the Microsoft(MS) Exchange 2003 Message Store Hot-fix
a script that will create a report of users who do not have the "Send As"
right effectively applied to their mailbox.
17772: How to run Microsoft's reporting script to see which users do not have the "Send As" right applied for the GoodAdmin Service Account
Good's Test Send
utility will create a MAPI login for the "user profile" specified,
and attempt to send email to a specified address
17771: How to run Good's Test Send utility to verify that a specified user has the "Send As" right applied for the GoodAdmin Service Account
Known MS patches that cause this "Send As" issue:
KB 907434 - http://support.microsoft.com/kb/907434
- June 19, 2006 Revision 2.1
KB 912442 - http://support.microsoft.com/kb/912442 - June 13, 2006 Revision 1.0
KB 916803 - http://support.microsoft.com/kb/916803 - May 18, 2006 Revision 3.1
keyword(s): hotfix, msft, mskb, ms, patch, exch, paused, pausing, pause.